Banks: How to Stop POS BreachesHelping Merchants with PCI Compliance, Malware Mitigation
While U.S. banks and credit unions scramble to connect the dots in the suspected payment card breach at building-supply retailer Home Depot, experts say more financial institutions are taking proactive steps to help merchants mitigate their risk of cyber-attacks.
Over the last nine months, calls for stronger card security have been fueled by retail POS breaches suffered at Target Corp., Neiman Marcus, P.F. Chang's, SuperValu and, most recently, Goodwill Industries.
By educating merchants about compliance with the Payment Card Industry Data Security Standard, or, in some cases, even providing network security services to their merchant customers, banking institutions are playing a more aggressive role in ensuring card fraud associated with point-of-sale attacks is contained.
"Security is hard, and security experts are hard to find," says Josh Shaul, vice president of product management at forensics firm Trustwave, which last month discovered the retail POS malware known as Backoff.
"Most security experts work for banks, so banks are in better positions than retailers to focus on security," Shaul adds. "A bank could offer their own managed services to their merchants or run a managed services offer through a partner provider and then audit that firm to make sure they are using best-of-breed services."
Banking institutions that serve as merchant acquirers are increasingly realizing they benefit from stronger retail security, Shaul says.
"We see a lot of our banking clients taking on pretty increased scrutiny of security for the merchants they work with," he adds. "It goes beyond just complying with the minimum standards. Banks are pushing their merchants to do more."
In the past, breached or non-PCI-compliant merchants were merely fined by their acquiring banks, but those merchants were still allowed to conduct payments. Today, more banks understand that it's more beneficial to have merchants use the money they would have historically paid in fines to invest in advanced security and anomaly detection instead, Shaul says.
"Banks see that those fines are not as meaningful anymore," he explains. "So rather than just having those [merchant] clients pay a fee, it would be better to dump that money into security training and security services. We are seeing that shift happen. And the real momentum behind it is that these banks are taking revenue out of their own pockets to say 'We want you to invest in security.'"
Josh Shaul of Trustwave explains banks' new focus on merchant-level PCI compliance.
Helping merchants with PCI compliance also is a best practice recommended by Visa. Visa says acquirers should continue to review and scrutinize merchants for issues in audit scoping and security vulnerabilities. Educating merchants about the latest POS attack vectors and mitigation strategies is something all acquirers should be doing, Visa points out on its website.
Breaches: Impact on Banks
In the wake of these breaches, leading banks have stepped in to help shore up security with their merchant customers, says Bryan Sartin, a director of the RISK team at Verizon Enterprise Solutions, which specializes in breach investigations.
"If they support a business's ability to accept payment card transactions, then they should be doing more to ensure they are validating PCI compliance and making sure that those businesses have reasonable and effective counter measures in place to ensure security," Sartin says. "Getting compliant is one thing. Staying compliant is another."
Sartin says banks are better positioned than merchants to assess risks, and more banks are realizing it's beneficial to assist merchants with PCI compliance.
"The banks or issuers out there could do more to help them understand the controls in PCI, such as where are the five or six points within the PCI standard that really make the greatest difference," he notes. "The banks could say, 'These are the areas where we see the greatest problems, and if you just pick these four, five or six things to focus on, then you could really mitigate your risks of exposure."
And more banks are doing just that.
"We do get a lot of requests for guidance and assistance from the banks," says Trustwave's Shaul. The banks want to know what they should be telling merchants and how they can protect them, he adds.
Common PCI Soft Spots
Sartin and Shaul say most retail breaches come down to the same types of security weaknesses, all of which are addressed within the PCI-DSS:
- Storing too much transactional data;
- The compromise of weak or stolen network or system credentials;
- Breaches that go undetected until a third party discovers them.
If merchants were to address those three PCI compliance areas, a majority of card compromises that result from POS breaches could be prevented, Sartin says.
Bryan Sartin of Verizon on the root cause of most retail POS breaches.
"Almost 87 percent of data that is stolen during a breach comes from data stored in places the victims didn't know they had," Sartin says. "They know they have data, but they think it's on one server, rather than in many other places."
By helping merchants regularly conduct thorough risk assessments, banking institutions could play a key role in helping merchants eliminate the storage of duplicated, and often unnecessary, data, Shaul adds.
"The first piece is just conducting a general risk assessment," which banks do well, Shaul says. "They [merchants] need to have an inventory of the systems in their environment, and then they need to conduct some general vulnerability testing."
Banks should take steps to ensure their merchant clients are using two-factor authentication when accessing POS systems, Sartin says. "Four out of five breaches are traced back to the exploit of weak, easily guessed or stolen credentials," he says. "And two-thirds, maybe higher, of all card-present payments breaches in the retail sector result because of a remote-access compromise."
Peter Tapling, a financial fraud expert who's president and CEO of online security firm Authentify, says many retail breaches start with a network intrusion that is typically traced back to weak credentials. "Any merchant that does not have two-factor authentication in place for employees and suppliers is gambling that they won't be next," he says. "Enterprises should step up efforts to detect the exfiltration of data. Once the bad guys are in, they can get the data out."
That's just one reason why it's so critical that merchants scan their networks for vulnerabilities at least monthly, or, even better, weekly, Shaul explains.
"That should get followed up with deeper-dive penetration testing at least once per year," he says. "I think that is a huge step for most organizations."
And because breaches in the retail space usually go undetected until a card issuer or other third party, such as law enforcement, discovers the intrusion, it's clear more investments need to be made in network-intrusion technology, Sartin says.
"Merchants are using outdated sources to detect possible breaches," he says. "They are using old-fashioned tactics that banks could help them with. ... Banks are far more effective at response. Banks are more effective at identifying potential breaches and fraud and containing it."
Tapling says banks should begin to treat their merchant customers more like they treat suppliers. "Under FFIEC rules, suppliers to banks need to meet many of the same stringent operating requirements as the banks themselves and, most importantly, are audited against that same performance criteria," he says.